Release 3.8.4

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

diff --git a/NEWS b/NEWS
index b014f1ab7adea48c7ce25759b7bfad0a75636d0a..85efb5680ccc0f250ced4b96cbd396d387e23731 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,7 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
 Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
 See the end for copying conditions.
 
-* Version 3.8.4 (unreleased)
+* Version 3.8.4 (released 2024-03-18)
 
 ** libgnutls: RSA-OAEP encryption scheme is now supported
    To use it with an unrestricted RSA private key, one would need to
@@ -14,6 +14,25 @@ See the end for copying conditions.
    to import restricted private keys if they are stored in PKCS#8
    format.
 
+** libgnutls: Fix side-channel in the deterministic ECDSA.
+   Reported by George Pantelakis (#1516).
+   [GNUTLS-SA-2023-12-04, CVSS: medium] [CVE-2024-28834]
+
+** libgnutls: Fixed a bug where certtool crashed when verifying a certificate
+   chain with more than 16 certificates. Reported by William Woodruff (#1525)
+   and yixiangzhike (#1527).
+   [GNUTLS-SA-2024-01-23, CVSS: medium] [CVE-2024-28835]
+
+** libgnutls: Compression libraries are now loaded dynamically as needed
+   instead of all being loaded during gnutls library initialization.
+   As a result, the library initialization should be faster.
+
+** build: The gnutls library can now be linked with the static library
+   of GMP.  Note that in order for this to work libgmp.a needs to be
+   compiled with -fPIC and libhogweed in Nettle also has to be linked
+   to the static library of GMP.  This can be used to prevent custom
+   memory allocators from being overriden by other applications.
+
 ** API and ABI modifications:
 gnutls_x509_spki_get_rsa_oaep_params: New function.
 gnutls_x509_spki_set_rsa_oaep_params: New function.

diff --git a/configure.ac b/configure.ac
index 71226adc91406d980df5bcd2d6f65804c5f1ddd0..d6e03cf75a55adb10e89ae0a14788218455c5ed1 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -21,7 +21,7 @@ dnl Process this file with autoconf to produce a configure script.
 AC_PREREQ(2.64)
 
 dnl when updating version also update LT_REVISION in m4/hooks.m4
-AC_INIT([GnuTLS], [3.8.3], [bugs@gnutls.org])
+AC_INIT([GnuTLS], [3.8.4], [bugs@gnutls.org])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_MACRO_DIRS([m4 src/gl/m4 lib/unistring/m4])
 AC_CANONICAL_HOST

diff --git a/devel/abi-dump b/devel/abi-dump
index 237f0723ef5f4aa47f299b16cc26d36839281b1f..3ffceb41f893004ba87cd18ebda93d40068dd5e1 160000 (submodule)
--- a/devel/abi-dump
+++ b/devel/abi-dump
@@ -1 +1 @@
-Subproject commit 237f0723ef5f4aa47f299b16cc26d36839281b1f
+Subproject commit 3ffceb41f893004ba87cd18ebda93d40068dd5e1

diff --git a/devel/libgnutls.abignore b/devel/libgnutls.abignore
index cdc36950784ee025d2abea5682e00074e5d05e4a..c19dce38e11a1c763a5d7bb7a17888e269dc61bf 100644 (file)
--- a/devel/libgnutls.abignore
+++ b/devel/libgnutls.abignore
@@ -70,8 +70,3 @@ name = drbg_aes_reseed
 
 # The following should be removed in the new release, after updating the
 # abi-dump repository:
-[suppress_function]
-name = gnutls_x509_spki_get_rsa_oaep_params
-
-[suppress_function]
-name = gnutls_x509_spki_set_rsa_oaep_params

diff --git a/m4/hooks.m4 b/m4/hooks.m4
index b826e44263d48a09479110a85c36f99f120a8c51..27accd2b84d691c01d4ee1565b91edf7a8e38485 100644 (file)
--- a/m4/hooks.m4
+++ b/m4/hooks.m4
@@ -40,9 +40,9 @@ AC_DEFUN([LIBGNUTLS_HOOKS],
   #     in CONTRIBUTION.md for more info.
   #
   # Interfaces removed:                           AGE=0 (+bump all symbol versions in .map)
-  AC_SUBST(LT_CURRENT, 67)
-  AC_SUBST(LT_REVISION, 1)
-  AC_SUBST(LT_AGE, 37)
+  AC_SUBST(LT_CURRENT, 68)
+  AC_SUBST(LT_REVISION, 0)
+  AC_SUBST(LT_AGE, 38)
 
   AC_SUBST(LT_SSL_CURRENT, 27)
   AC_SUBST(LT_SSL_REVISION, 2)